Attacks that matter

Separating the attack that matters from the noise

It has almost become the norm for a business to be compromised by a security attack. The emphasis today is thus more on how a business responds to the attack, that is how have they prepared for the breach and how do they communicate it?

“Being compromised has become part of doing business in today’s cyber attack infused environment – a scenario that is especially escalating in Africa. It must therefore now be understood that a business’ reputation now rests on how well it has armed, defended, revealed and responded to a cyber attack,” says Bryan Hamman, territory manager for sub-Saharan Africa at Arbor Networks.

He backs up his statement with a white paper, published by Arbor, titled “Prioritising incident response for attacks that matter”, which states that defence strategies are important – but the power to effectively identify and understand the attacks that bypass your defences is critical in order to respond quickly. Breach prioritisation and effective incident response (IR) starts and ends with insight into your network traffic.

There is a paragraph that reads: “This traffic insight is the only way to establish the context for meaningful detection and rapid incident response to the attacks that really matter, especially the more threatening advanced attacks. A comprehensive and, when required, detailed view of network activity, both in real time and after the fact, allows you to shorten your response time between detection and mitigation. It also helps strengthen your overall security posture to decrease the impact of future incidents.”

Further it highlights that, unfortunately, today’s enterprise is overly reliant on preventive security mechanisms. According to the research, this reliance limits the number of resources dedicated to proactively hunting for other activities in the network that put the business at risk. “Preventive measures, such as breach detection systems (BDS) with sandboxing capabilities, are designed to stop attacks and generate alerts on possible indicators of compromise (IOC). Deployed in front of key infrastructure assets or likely threat surfaces such as web or e-mail servers, sandboxing systems can ‘detonate’ payloads and certainly add to your list of alerts. This is an important layer of enterprise protection as part of a defence-in-depth strategy,” it says.

“BDS should however not be the only way of detecting breaches,” adds Hamman, and explains that this is because they provide neither the complete network picture nor the contextual data that allow you to identify, fully scope and prioritise the attacks that matter. Nor, according to the white paper, do they offer the network capabilities required to correlate IOC from across the network and respond quickly to more stealthy advanced attacks.

So how do you avoid looking like “the little boy who cried wolf” and know when your organisation has actually been breached? The answer seems to lie in detecting and prioritising attacks that matter.

“There is a lot of noise in IOC and managing and prioritising this noise is vital to effective detection and, of course, using your business resources economically,” says Hamman. “Remember that not every malware detection means that you will lose data and have been breached, and can actually distract you from an advanced and real threat by wasting precious time and resources.”

Prioritising the attacks that matter requires context, the Arbor white paper goes on to say, and rapid incident response that covers the full scope of an attack campaign requires a larger picture of the network than sandboxing attachments.

“Without access to the detail from all network traffic, it is extremely difficult to detect multi-stage, long-running advanced attacks, let alone prioritise breaches that are real threats to your organisation,” the paper explains.

“Assembling this bigger picture calls for the retrospective data analysis of your unique enterprise network configuration and traffic. It requires the ability to capture and view detailed data from the extended periods of time (months) it may take to ‘connect the dots’ of advanced attacks: where the network was compromised, when malware was dropped, where it moved and what it touched within the system. This context, combined with accumulated knowledge from threat alerts, signatures, broader attack intelligence and other sources, offers the best opportunity to detect, prioritise and rapidly mitigate an advanced attack in its entirety, regardless of where it is in its lifecycle. Current incident response processes are also hard-pressed to provide adequate documentation of the malware trails for verifiable alerts. Rapid coordination across IR teams, specifically getting management and operations on-board with sometimes difficult decisions, requires credible information. Documented evidence of a malware trail and the potential negative repercussions helps avoid false positives, ineffective fire drills and potentially counterproductive attempts at mitigation.”

Hamman points out that in order to bring context to the chaos to network alerts, the Arbor Networks SP portfolio increases the effectiveness and focus of a security team for the rapid detection and prioritisation of real threats. “Together, these solutions allow you to be more proactive in isolating the attacks that matter.”

For more information about Arbor in Africa, please contact Bryan Hamman at bhamman@arbor.net